1 MORGAN & MORGAN MILBERG TADLER PHILLIPS ......2019/04/09 · 1 MORGAN & MORGAN 2 3 4 5 6 7 8 9 10...

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

MORGAN & MORGAN

COMPLEX LITIGATION GROUP

John A. Yanchunis (Admitted Pro Hac Vice)

201 N. Franklin Street, 7th Floor

Tampa, FL 33602

Telephone: 813/223-5505

813/223-5402 (fax)

[email protected]

ROBBINS GELLER RUDMAN

& DOWD LLP

Stuart A. Davidson (Admitted Pro Hac Vice)

120 East Palmetto Park Road, Suite 500

Boca Raton, FL 33432

Telephone: 561/750-3000

561/750-3364 (fax)

[email protected]

CASEY GERRY SCHENK FRANCAVILLA

BLATT & PENFIELD LLP

Gayle M. Blatt (122048)

110 Laurel Street

San Diego, CA 92101

Telephone: 619/238-1811

619/544-9232 (fax)

[email protected]

MILBERG TADLER PHILLIPS

GROSSMAN LLP

Ariana J. Tadler (Admitted Pro Hac Vice)

One Pennsylvania Plaza, 19th Floor

New York, NY 10119

Telephone: 212/594-5300

212/868-1229 (fax)

[email protected]

LOCKRIDGE GRINDAL NAUEN P.L.L.P.

Karen Hanson Riebel (Admitted Pro Hac Vice)

100 Washington Ave. South, Suite 2200

Minneapolis, MN 55401

Telephone: 612/339-6900

612/339-0981 (fax)

[email protected]

ROBINSON CALCAGNIE, INC.

Daniel S. Robinson (244245)

19 Corporate Plaza Dr.

Newport Beach, CA 92660

Telephone: 949/720-1288

949/720-1292

[email protected]

Attorneys for Plaintiffs and Proposed Class Counsel

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA - SAN JOSE DIVISION

IN RE: YAHOO! INC. CUSTOMER DATA

SECURITY BREACH LITIGATION

)

)

)

)

)

)

)

)

)

)

)

No. 16-md-02752-LHK

MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT OF PLAINTIFFS’ MOTION TO NOTICE CLASS

1

Date:

Time: ____ p.m.

Courtroom: 8, 4th Floor

Judge: Hon. Lucy H. Koh

1 The decision of a court to give notice under Rule 23(e)(1) was previously referred to as

“preliminary approval.” See 2018 Advisory Committee Note., Subdivision (c)(2). Plaintiffs now understand that such a motion should, under the amended rule, seek an order permitting notice to the Class, rather than “preliminary approval.”

Case 5:16-md-02752-LHK Document 369 Filed 04/09/19 of 43

MEMO ISO PLTFS’ MOTION TO NOTICE CLASS - 16-md-02752-LHK - i -

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Table of Contents

I. Introduction ..................................................................................................................................1

II. Background .................................................................................................................................3

A. Yahoo’s Services and Representations Concerning Data Security .................................3

B. The 2013 Breach, 2014 Breach, And Forged Cookie Breach ........................................3

C. Coordination and Consolidation in Federal and State Courts ........................................4

D. Litigation History ............................................................................................................5

E. Plaintiffs’ Claims and Relief Sought ...............................................................................7

F. Defendants’ Class Certification Opposition and Daubert Challenges ...........................8

G. Settlement Negotiations .................................................................................................8

III. The Settlement Terms ................................................................................................................9

A. Proposed Settlement Class ..............................................................................................9

B. Business Practice Changes ...........................................................................................10

C. Settlement Fund.............................................................................................................11

1. Out-Of-Pocket Costs ..........................................................................................12

2. Paid User and Small Business User Costs .........................................................13

3. Alternative Compensation .................................................................................13

D. Credit Services ..............................................................................................................13

E. Class Notice and Settlement Administration .................................................................15

F. Service Awards To Named Plaintiffs ...........................................................................15

G. Attorneys’ Fees, Costs, and Expenses ..........................................................................15

H. Reduction or Residual ...................................................................................................16

I. Release ............................................................................................................................16

IV. Argument ................................................................................................................................16

A. The Settlement Class Should Be Preliminarily Certified ..............................................16

1. The Rule 23(A) Requirements Are Met.............................................................16

2. The Rule 23(B) Requirements Are Met .............................................................17

B. The Settlement Should Be Preliminarily Approved ......................................................18


MEMO ISO PLTFS’ MOTION TO NOTICE CLASS - 16-md-02752-LHK - ii -

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

1. Amended Rule 23(e) ..........................................................................................18

a. Adequacy of Relief: Costs, Risks, and Delay ..............................................19

b. Adequacy of Relief: Proposed Method of Distributing Relief ....................23

c. Adequacy of Relief: Attorneys’ Fees ...........................................................25

d. Adequacy of Relief: Rule 23(e)(3) Agreements and Equality of Treatment ...............................................................................................................25

2. District’s Procedural Guidance ..........................................................................25

a. District Guidance Factor 1: Settlement Information ....................................26

i. Factors 1(a) & 1(c): Classes and Claims Alleged v. Settled ......................26

ii. Factor 1(e): Anticipated Recovery v. Settlement Amount .......................26

iii. Factor 1(g): Expected Claims Rates ........................................................28

b. Factor 2: Administrator Selection ................................................................29

c. Factor 3-5: Notice Plan, Opt-Outs, and Objections .....................................30

d. Factor 6: Attorneys’ Fees, Costs, and Expenses ..........................................30

e. Factor 7-10: Service Awards, Cy Pres, Timeline, and CAFA .....................30

f. Factor 11: Past Distributions ........................................................................31

3. Ninth Circuit Final Approval Factors ................................................................31

a. The Strength of Plaintiffs’ Case and Risk of Further Litigation ....................32

b. The Risk of Maintaining Class Action Status Through Trial ........................32

c. The Amount Offered in Settlement ................................................................32

d. The Extent of Discovery Completed and the Stage of Proceedings ..............33

e. The Experience and View of Counsel ...........................................................33

f. The Presence of a Government Participant ....................................................33

g. The Reaction of the Class Members to the Proposed Settlement ..................34

h. Lack of Collusion Among the Parties ............................................................34

i. The Proposed Notice Plan Should be Approved ............................................34

23


MEMO ISO PLTFS’ MOTION TO NOTICE CLASS - 16-md-02752-LHK - iii -

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

C. Appointment of Settlement Class Counsel....................................................................35

D. Schedule For Final Approval ........................................................................................35

V. Conclusion ................................................................................................................................35


MEMO ISO PLTFS’ MOTION TO NOTICE CLASS - 16-md-02752-LHK - iv -

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

CASES

Amchem Prods. v. Windsor, 521 U.S. 591,620 (1997) ................................................................. 16

G. F. v. Contra Costa Cty., 2015 WL 4606078, at *13 (N.D. Cal. July 30, 2015) ...................... 34

Hammond v. The Bank of N.Y. Mellon Corp., 2010 WL 2643307, at *1 (S.D.N.Y. June 25, 2010) ................................................................................................................... 22

Hanlon v. Chrysler Corp., 150 F.3d 1011, 1022 (9th Cir. 1998). ................................................ 17

In re Anthem, Inc. Data Breach Litig., 15-MD-02617-LHK, 2018 WL 3872788, at *11 (N.D. Cal. Aug. 15, 2018) .......................................................................................... 18

In re Bluetooth Headset Products Liab. Litig., 654 F.3d 935, 946 (9th Cir. 2011). ..................... 32

In re Linkedin User Privacy Litig., 309 F.R.D. 573, 585 (N.D. Cal. 2015) ................................. 18

In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., 266 F. Supp. 3d 1, 19 (D.D.C. 2017) ................................................................................................................... 22

In re: Yahoo! Inc. Customer Data Breach Security Litigation, Case No. 16-md-02752-LHK (N.D. Cal.) ...................................................................................................... 4

Just Film, Inc. v. Buono, 847 F.3d 1108, 1118 (9th Cir. 2017) .................................................... 17

Linney v. Cellular Alaska P’ship, 151 F.3d 1234, 1238 (9th Cir. 1998) ...................................... 22

Smith v. Triad of Alabama, LLC, 2017 WL 1044692, at *6 (M.D. Ala. Mar. 17, 2017) ............. 32

Spann v. J.C. Penney Corp., 314 F.R.D. 312, 331 (C.D. Cal. 2016) ............................................ 24

Staton v. Boeing Co., 327 F.3d 938, 957 (9th Cir. 2003) ............................................................. 17

Tyson Foods, Inc. v. Bouaphakeo, 136 S. Ct. 1036, 1045 (2016) ................................................ 18

Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 350 (2011) .......................................................... 17

STATUTES

Class Action Fairness Act, 28 U.S.C. § 1715 ............................................................................... 34

OTHER AUTHORITIES

2018 Amendment Advisory Committee Notes ............................................................................. 19

Manual for Complex Litigation, § 21.632 .................................................................................... 16

RULES

Fed. R. Civ. P. 23(a) ............................................................................................................... 16, 17


MEMO ISO PLTFS’ MOTION TO NOTICE CLASS - 16-md-02752-LHK - 1 -

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

I. INTRODUCTION

Following the Court’s denial of preliminary approval (ECF Nos. 353, 357), the Parties

immediately set about addressing the issues the Court identified, re-engineering the resolution of

this case. The Amended Settlement Agreement2 not only provides the biggest common fund ever

obtained in a data breach case ($117,500,000.00), it materially moves the benchmarks on: The

individual claim cap ($25,000), the amount of lost time that can be reimbursed (15 hours), the

minimum rate at which such time is compensated ($25.00/hour), and alternative compensation

for those already having credit monitoring ($100, up to full retail value of $358.80).

Moreover, the Parties have addressed the other issues raised by the Court in its order.

First, Plaintiffs are contemporaneously filing a Second Amended Complaint (“SAC”), which

advances claims on behalf of a class of users subject to security incidents occurring in 2012.

Likewise, the notices have been revised to address the 2012 Intrusions so as to advise class

members of the existence, nature, and release, of those claims. See, e.g., Long Form, S.A. Exh.

5a §2. The Settlement Agreement also establishes a single non-reversionary common fund from

which all amounts will be drawn—other than funds related to Business Practice Changes—

thereby fully and transparently disclosing the total size of the Settlement Fund. This change also

addresses the Court’s concern regarding the possible reverter of attorneys’ fees; as all funds not

awarded as attorneys’ fees and costs will remain in the Settlement Fund for dispersal to the

Class. The Parties have also revised the Business Practice Changes to make them significantly

more concrete and thus reviewable by the Court and the Class, including definite budget and

staffing commitments, as well as provisions for audits by a Third-Party Assessor. Finally, as

explained further below, Yahoo3 has engaged in significant analysis of its User Data Base

(“UDB”) and other user metrics in order to arrive at estimations of the class size, now projected

as, at most, 194 million users. This analysis has been subjected to confirmatory depositions, and

the Business Practice Changes have been evaluated by Plaintiffs’ expert and found satisfactory.

2 Unless otherwise noted, all capitalized terms are defined in the Amended Settlement

Agreement and Release, which is being filed concurrently herewith as Exhibit A to the accompanying Declaration of John Yanchunis, and referred to hereafter as “SA” or “Settlement.” 3 As noted in the Amended Settlement Agreement, herein, Yahoo refers to both Oath Holdings

and Altaba. Settlement Agreement §§ 1.54, 1.55.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

See Exhibits D, E, F, G, Declarations of G. Whipple, J. Slomczynski, C. Nims, and M. Frantz.

Specifically, from $117.5 million non-reversionary Settlement Fund will be drawn all

amounts necessary for: (1) at least two years of credit monitoring, open to all Class Members

without any cap as to the number of potential claimants, at a cost of $24 million; (2) notice and

administration costs of no more than $6 million; (3) attorneys’ fees of no more than $30 million

and costs and expenses of no more than $2.5 million; (4) service awards of between $7,500 and

$2,500 per Settlement Class Representative; (5) alternative compensation of $100 for those

individuals already having credit monitoring; and (6) out-of-pocket expenses related to identify

theft, lost time, paid user costs, and small business user costs.

Separate and apart from the Settlement Fund, and as a result of the litigation, Oath also

made, and continues to make, significant financial investment in, and substantive changes to, its

information security environment, including encryption of the UDB backup files, enhanced

intrusion detection tools, increased information security team headcount and budget, and

implementation of the NIST Framework for Improving Critical Infrastructure Cybersecurity

(“NIST Cybersecurity Framework”), amongst others. As part of the Amended Settlement, Oath

will maintain an information security budget of more than $300 million over the next 4 years and

a team headcount of 200, amounts that are at least four times and three times greater,

respectively, than Yahoo maintained prior to this case.4 In light of these changes, the Parties

believe the Settlement is fair, reasonable, and adequate, and Plaintiffs respectfully request the

Court enter an order:

(1) Finding that the Court will likely be able to approve this Settlement as fair,

reasonable, and adequate under Rule 23(e)(2);

(2) Directing Notice to be disseminated to the Settlement Class in the form and

manner proposed by the Parties as set forth in the Settlement and Exhibit 5

thereto;

4 Likewise apart from the Settlement Fund, Yahoo also paid a civil penalty of $35 million to the

Securities and Exchange Commission, and resolved securities litigation with an $80 million fund, each arising out of the Data Breaches at issue here. See In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc., File No. 3-18448, 2018 WL 1919547 (S.E.C. April 24, 2018), available at https://www.sec.gov/litigation/admin/2018/33-10485.pdf; In Re Yahoo! Inc. Securities Litigation, 5:17-CV-00373, ECF No. 118 (N.D. Cal. Sept. 7, 2018).



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

(3) Appointing Heffler Claims Group (“Heffler”) to serve as the Settlement

Administrator;

(4) Appointing Class Counsel; and

(6) Setting a hearing date and schedule for final approval of the settlement and

consideration of Class Counsel’s motion for award of fees, costs, expenses, and

service awards.

II. BACKGROUND

A. Yahoo’s Services and Representations Concerning Data Security

Yahoo provides comprehensive internet services. Yahoo’s basic service is Yahoo Mail, a

free email service. Since 2011, Yahoo also provided a premium email service (“Paid Mail”),

costing between $19.99 and $49.99 per year for features such as ad-free mail and priority

customer support.5 Yahoo also provides paid business services. Cert. Memo, Ex. 3 at 941.

Anyone creating a Yahoo account in the United States or Israel agrees to Yahoo’s Terms of

Service (“Yahoo TOS”). Id., Ex. 4. The Yahoo TOS incorporated a “Privacy Policy,” which

stated: “We have physical, electronic, and procedural safeguards that comply with federal

regulations to protect personal information about you.” Id., Ex. 6. On the “Security at Yahoo”

web page linked to the Privacy Policy, Yahoo represented: “We deploy industry standard

physical, technical, and procedural safeguards that comply with relevant regulations to protect

your personal information.” Id., Ex. 7. Similar, uniform representations were made in the Small

Business Terms of Service (id., Ex. 8), and incorporated Privacy Policy (id., Ex. 9).

B. The Breaches

In September 2016, Yahoo revealed that Personal Information “associated with at least

500 million user accounts was stolen” from Yahoo’s UDB in late 2014 (the “2014 Breach”).

Cert. Memo, Ex. 10. A few months later, Yahoo revealed that “an unauthorized third party, in

August 2013, stole [Personal Information] associated with more than one billion user accounts”

(the “2013 Breach”). Id., Ex. 14. Ten months later, it was announced that the 2013 Breach

affected all three billion existing accounts. Id., Ex. 13. Around the same time the 2013 Breach

5 See Memorandum of Points and Authorities In Support of Plaintiffs’ Motion for Class

Certification (“Cert. Memo”) at 1, (ECF No. 248-5 at 9), and its Exhibit 3 at 939-941. To avoid further burdening the record, Plaintiffs will cite to the Cert. Memo and its exhibits rather than re-attaching those exhibits.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

was first announced, Yahoo confirmed that “an unauthorized third party accessed the company’s

proprietary code to learn how to forge cookies,” and that the “cookie forging activity” had

continued for more than one and a half years, from early 2015 through September 2016 (the

“Forged Cookie Breach”). See Id., Ex. 14; Ex. 11 at 918. During the course of discovery,

Plaintiffs uncovered evidence regarding cybersecurity incidents in 2012 as well. Specifically, in

January 2012, cybersecurity firm Mandiant investigated a potential breach at Yahoo. SAC ¶¶ 2,

71–80. Mandiant found that two different Advanced Persistent Threat (APT) hacking groups

were actively compromising Yahoo’s systems (“2012 Intrusions”), Id. ¶¶ 3, 74–76, 78.6

Collectively, the Data Breaches impacted approximately one billion U.S. and Israeli accounts.7

Cert. Memo at 2-3, Ex. 11 & 12.

C. Coordination and Consolidation in Federal and State Courts

Beginning in September 2016, multiple class action lawsuits were filed against Yahoo

and other Defendants in federal courts across the country and in California state courts, alleging

that Defendants failed to properly protect personal information in accordance with their duties,

had inadequate data security, and delayed notifying potentially impacted individuals of the Data

Breaches. On December 7, 2016, the Judicial Panel on Multidistrict Litigation transferred several

federal putative class action lawsuits to this Court (the “MDL Court”) for coordinated pretrial

proceedings in In re: Yahoo! Inc. Customer Data Breach Security Litigation, Case No. 16-md-

02752-LHK (N.D. Cal.) (“MDL Case”). ECF No. 1. Meanwhile, multiple parallel actions were

also coordinated in California state court, which, on February 28, 2017, were assigned by the

Judicial Council to a coordination trial judge for coordinated pretrial proceedings, in Yahoo! Inc.

Private Information Disclosure Cases, JCCP No. 4895 (Orange County Sup. Ct.) (the “JCCP

Case”). Exhibit B, Declaration of Daniel S. Robinson (“Robinson Dec.”), Ex. 3. On March 14,

6 The 2013, 2014, and Forged Cookie breaches, along with the 2012 Intrusions, are referred to

jointly as the “Data Breaches.” 7 The MDL included claims on behalf of users residing in Israel with Yahoo accounts between

2012 and 2016, and Israeli users specifically agreed in the TOS to be bound by California law, and to litigate any disputes relating to their use of Yahoo in the United States. Notwithstanding the provisions of the TOS, two parallel class actions alleging claims related to the Data Breaches were filed in Israel, and styled Class Action 7406-08-17 Raynzilber v. Yahoo! Inc. and Class Action 61020-09-16 Lahav v. Yahoo! Inc., respectively. Persons residing in Israel who used Yahoo services between 2012-2016 are eligible for benefits under the Settlement in this action.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

2017, the Orange County Superior Court Presiding Judge assigned the Honorable Thierry P.

Colaw (Ret.)8 (“JCCP Court”) to be the coordination trial judge. Id., Ex. 4. Leadership was

appointed in both the MDL Case and JCCP Case.9 Throughout discovery, MDL and JCCP Class

Counsel worked cooperatively in the scheduling and taking of offensive depositions.

D. Litigation History

Following centralization, MDL Class Counsel filed a Consolidated Class Action

Complaint (“CAC”) (ECF No. 80), Defendants moved to dismiss the CAC, (ECF No. 94), and

this Court granted in part and denied in part the motion by Order dated August 30, 2017 (ECF

No. 132). On December 19, 2017, MDL Class Counsel filed a First Amended Consolidated Class

Action Complaint (“FAC”) (ECF No. 179), Defendants moved to dismiss (ECF No. 205), and

this Court granted in part and denied in part the motion on March 9, 2018 (ECF No. 215).

As to the JCCP action, on May 25, 2017, Yahoo moved to stay the proceeding. After

briefing and argument on the issue, JCCP Class Counsel filed a Consolidated Complaint alleging

state law causes of action. Robinson Dec., Ex. 6. The JCCP Court ultimately denied Yahoo’s

motion to stay on June 23, 2017. Id. ¶ 16. On July 27, 2017, Yahoo demurred, which, after

briefing and argument, the JCCP Court sustained in part and overruled in part, with claims for

violation of California’s Unfair Competition Law, Customer Records Act, negligence, breach of

contract, and invasion of privacy under the California Constitution proceeding. See id. ¶¶ 16-18

Ex. 7.

8 Following Judge Colaw’s retirement in January 2018, the JCCP case was re-assigned to Judge

Glenda Sanders, who when presented with the Parties proposed settlement approval process said the process “makes sense.” Robinson Decl. ¶ 33, Ex. 8 9 On February 9, 2017, this Court appointed John Yanchunis of Morgan & Morgan Complex

Litigation Group as Lead Counsel, and Ariana Tadler of Milberg Tadler Phillips Grossman LLP, Stuart Davidson of Robins Geller Rudman & Dowd LLP, Gayle Blatt of Casey Gerry Schenk Francavilla Blatt & Penfield LLP, and Karen Hanson Riebel of Lockridge Grindal Nauen PLLP, to the Plaintiffs’ Executive Committee representing Plaintiffs and putative class members in the MDL Case (“MDL Class Counsel”). On May 26, 2017, the JCCP Court approved and entered JCCP Case Management Order No. 1 appointing Daniel S. Robinson of Robinson Calcagnie, Inc. and Brian Chase of Bisnar | Chase LLP as Co-Lead Counsel, Eric A. Grover of Keller Grover LLP as Liaison Counsel, and Jeremiah Frei-Pearson of Finkelstein, Blankinship, Frei-Pearson & Garber LLP, Neil Fineman of Fineman Poliner LLP, Robert Samini of Samini Scheinberg PC, Nathan Smith of Brown Neri Smith & Khan LLP, and Brian Kabateck of Kabateck Brown Kellner LLP to the Plaintiffs’ Steering Committee, to represent Plaintiffs and putative class Members in the JCCP Case (“JCCP Class Counsel”). Robinson Dec., Ex. 5.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Throughout this time, discovery was ongoing. Initially, the Parties negotiated for Yahoo

to begin producing certain documents prior to the start of formal discovery. The Parties then

engaged in extensive discussions to reach a series of stipulated discovery orders (including

Protective Order (ECF No. 73), ESI protocol (ECF No. 74), Rule 502 Order (ECF No. 76), and

ESI Search Protocol (ECF No. 104)), and multiple rounds of negotiations to reach agreement on

hundreds of search terms.10

Yahoo then produced, and Plaintiffs reviewed, over 9 million pages

of documents which provided Plaintiffs’ counsel and their experts with a detailed understanding

of how the Breaches occurred, why they occurred, and what Yahoo did (and did not do) in

response. Id. With this wealth of knowledge, and the aid of their cybersecurity experts, Plaintiffs

identified the critical information security personnel who worked at Yahoo during the relevant

time periods. In addition to three days of Yahoo corporate representative depositions, Plaintiffs’

counsel also deposed former Chief Information Security Officers (“CISO”) Justin Somaini, Alex

Stamos, and Bob Lord; former incident response team leader and interim CISO Ramses

Martinez; former penetration testing team leader Christopher Rohlf; and former Chief

Information Officer (“CIO”) Jay Rossiter. Yanchunis Dec., ¶ 9; Robinson Dec. ¶28. Further, at

the time the original Agreement was reached, Plaintiffs had set deposition dates for former

Yahoo Chief Executive Officer Marisa Mayer11

and former General Counsel Ronald Bell, and

were seeking dates for Yahoo co-founder, and former Board of Directors member, David Filo.

Plaintiffs also propounded interrogatories, to which Defendants responded. Id. ¶ 15.

These efforts yielded an abundance of information upon which Plaintiffs’ expert

cybersecurity team, led by Mary Frantz, relied on in forming opinions on why the Data Breaches

occurred and how they could and should have been prevented.

In addition, eight of the nine named MDL Case Plaintiffs had their devices forensically

imaged, search terms were applied and the documents containing the terms were reviewed and

produced, if responsive and non-privileged; each responded to document requests and

10

During this period, JCCP Class Counsel also entered into a Protective Order, ESI Order, and ESI search protocol, and engaged in numerous negotiations with Yahoo regarding the search terms that would be used in both the JCCP and the MDL action. Robinson Dec., ¶¶ 20-22. 11

Which was delayed only after motions practice at the order of Judge Cousins. (ECF No. 286).



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

interrogatories; and each was deposed. Id. ¶¶ 29. Plaintiffs also produced for deposition four

expert witnesses—James Van Dyke, Mary Frantz, Ian Ratner, and Gary Parilis—each of whom

previously produced reports. Id. ¶ 17.

With a well-developed record in hand, on July 13, 2018, MDL Class Counsel filed a

motion for class certification (ECF No. 248). Defendants filed an opposition and three Daubert

motions (ECF Nos. 295, 301–303). JCCP Counsel filed a motion for class certification on

August 27, 2018. Robinson Dec., ¶ 30.

E. Plaintiffs’ Claims and Relief Sought

Plaintiffs sought several types of equitable and monetary relief in this matter, premised

on two foundational allegations: Yahoo’s information security was inadequate and it waited too

long to inform users of the Data Breaches. Fundamentally, Plaintiffs’ asserted that, despite

holding Yahoo’s most valuable information, the UDB was improperly protected.

Accordingly, Plaintiffs sought equitable relief aimed at remediating the information

security deficits they uncovered. In support of their class certification motion, Plaintiffs

submitted an expert report setting forth several security controls needed to protect the

information Yahoo stored, including increased funding and staffing for information security,

adoption and implementation of the NIST Cybersecurity Framework, as well as increased and

enhanced executive oversight. Cert. Memo, Ex. 93 at 10–14. Had the case not settled, Plaintiffs

anticipated seeking an injunction requiring Yahoo to implement these measures, amongst others.

Plaintiffs also sought damages under three complex and novel theories: benefit of the

bargain and restitution, lost value of Personally Identifiable Information (“PII”), and identity

theft losses. Cert. Memo at 26-31. As to benefit of the bargain, Plaintiffs’ expert, Gary Parilis,

supported a conjoint analysis to determine the amount Paid Users and Small Business Users

overpaid for Yahoo’s services because of the concealed security inadequacies. Id. at 27.

Plaintiffs proposed two methods of identifying lost value of PII. In the first, statistical

sampling would determine the PII in an average users’ account and its value in order to calculate

aggregate damages. In the second, a market-based approach—analyzing the value of PII in



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

comparable transactions—would be utilized to determine damages resulting from the diminution

in value of class members’ PII as a result of the Data Breaches. Id. at 27-30.

Finally, identity theft losses were proposed to be established through a claims process,

where: (1) temporally, the identity theft followed the Breach(es) in which the PII was taken, and

(2) the PII taken must have been the same kind needed to commit the identity theft suffered.

Cert. Memo at 30–31. Identity theft losses would include, among other things, money spent to

rectify identity fraud, delayed tax refunds, and fees for fraud-prevention and detection services.

F. Defendants’ Class Certification Opposition and Daubert Challenges

Defendants opposed Plaintiffs’ class certification motion and filed three Daubert

motions. ECF Nos. 295, 301–303. Defendants challenged Plaintiffs’ ability to prove they were

harmed by the cyberattacks, and that Yahoo’s actions caused that harm. Defendants asserted that

Plaintiffs had no class-wide proof of those elements and that proving each would require

potentially millions of mini-trials. Because the compromised UDB did not contain the type of

information that would directly lead to the harms alleged, Defendants pointed out that Plaintiffs

must rely on the information accessible in email content, which would necessarily vary from

person to person. Defendants additionally challenged the methodologies set forth in Plaintiffs’

expert reports, asserting that: Plaintiffs’ Lost Value of PII damages model was unreliable

because fictitious information was sometimes provided in connection with Yahoo accounts and it

is impossible to diminish the value of fake information, amongst other reasons; and Plaintiffs’

benefit of the bargain hypothesis failed because Defendants maintained identical security

measures for paid and free users, therefore Paid and Small Business Users lost no benefit of their

bargain. Defendants also proffered their own experts relating to damages and the non-existent, or

extremely brief, period of vulnerability for any named Plaintiffs’ information on the Dark Web.

G. Settlement Negotiations

On August 14 and September 7, 2018, MDL Class Counsel, JCCP Class Counsel, and

Defendants engaged in arm’s-length, in-person, day-long mediation sessions under the direction

of the Honorable Daniel Weinstein (Ret.), Jed Melnick, and Simone Lelchuk of JAMS

(“Mediators”). In addition, between August 15 and September 7, 2018, counsel for Defendants



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

and Plaintiffs engaged in multiple arms-length ongoing settlement negotiations. During the

second formal mediation session, the parties agreed to terms forming the substance of the

original Settlement. Negotiations of attorneys’ fees, costs, and expenses did not begin until

agreement on behalf of the Settlement Class had been reached. S.A. § 12.1; Yanchunis Dec.,

¶ 20. Following this Court’s Order denying the First Motion for Preliminary Approval, Lead

Settlement Counsel and Defendants’ counsel engaged in a series of settlement negotiation

conversations, resulting in the Amended Settlement. (Yanchunis Dec. ¶ 23; Robinson Dec. ¶34)

III. THE SETTLEMENT TERMS

A. Proposed Settlement Class

The Amended Settlement Agreement will provide relief for the following Class:

All U.S. and Israel residents and small businesses with Yahoo accounts at any

time during the period of January 1, 2012 through December 31, 2016, inclusive;

provided, however, that the following are excluded from the Settlement Class: (i)

Defendants, (ii) any entity in which Defendants have a controlling interest, (iii)

Defendants’ officers, directors, legal representatives, successors, subsidiaries, and

assigns; (iv) any judge, justice, or judicial officer presiding over this matter and

the members of their immediate families and judicial staff; and (v) any individual

who timely and validly opts-out from the Settlement Class.

S.A. § 1.43. This proposed class encompasses—at most—approximately 896 million accounts

and no more than 194 million individuals. Whipple Decl. ¶¶ 6-7. As set forth in the declaration

of Dr. Whipple, while the 2013 Breach included all existing accounts, that is a world-wide

number of accounts not users. Once test and abuse accounts were removed, and after filtering for

accounts with U.S. Terms of Service, there were 896 million accounts. To estimate actual users,

Dr. Whipple further filtered using alternative email or phone number, and registration IP address,

to reach an estimated Class size of at most 194 million. Whipple Decl. ¶¶ 5-10. Oath’s Product

Manager of Audience Data Engineering, Jakub Slomczynski, further explains that Yahoo can

also track registered users (those logged-in with accounts stored in the UDB) who access Yahoo

properties from U.S. IP Addresses in a given time frame. During the fourth quarter of 2016 the

monthly average of U.S. IP registered users accessing Yahoo properties was approximately 77.4

million; in the fourth quarter of 2012, it was 112.8 million, of which 93.6 million were Yahoo

Mail users; and during the fourth quarter of 2013, it was approximately 113.5 million, of which



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

88.6 million were Yahoo Mail users. Slomczynski Decl. ¶¶ 11, 14–15.12

B. Business Practice Changes

Enhanced and improved data security is a critical aspect of the Settlement. Yahoo has

made, and continues to make, substantial enhancements, expenditures, and improvements to its

security environment in response to the litigation. Specifically, upon acquisition by Verizon, an

extraordinary “investment” budget was allocated to improve security headcount and build new

security capabilities—over and above the already substantially increased yearly operational

budget. Nims Decl. ¶ 4. This combined operations and investment budget from 2017 to 2019 is

$234.7 million: $28.7 million in 2017, $98 million in 2018, and $108 million currently allocated

for 2019. Nims. Decl. ¶ 4. Yahoo also has committed to yearly information security budgets of at

least $66 million through 2022, some four times greater that Yahoo’s average information

security budget from 2013-2016. Nims Decl. ¶4; S.A. Exh. 2, ¶¶ 1-2.

Information security employee headcount—a recurrent issue at Yahoo during the period

of the Breaches—has likewise vastly improved. The Yahoo Paranoid team headcount pre-

acquisition in 2016 was approximately 48; by 2018, Oath had approximately 146 full time

employees dedicated to security. Nims Decl. ¶ 6. In addition, approximately 80 full time

consultants and contractors provided security services to Oath in 2018. Id. For 2019, Oath has

budgeted for a headcount of approximately 200 fulltime employees dedicated to security, more

than four times the security headcount at legacy Yahoo; and Defendants have committed to

maintaining a headcount of 200 through 2022. S.A. Exh. 2 ¶ 2.

Oath has aligned its security program to the NIST Cybersecurity Framework, has

undergone a maturity assessment against NIST in collaboration with a third-party, and has

agreed to undergo such Third-Party assessments for four years beginning in 2019. Nims Decl. ¶¶

17-18; S.A. Exh. 2 ¶¶ 3,7. Oath also implemented vulnerability management schedules, requiring

S0 issues (the most critical), and S1 issues, amongst others, to be resolved on a set schedule;

12

Slomczynski also explains the “650 million monthly mobile users” referenced in the Court’s prior order (ECF No. 357 at 22), is a worldwide number (less than 250 million were U.S.), that includes unregistered users (for whom no information is stored in the UDB). Id. ¶¶ 9-10.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

schedules that persist under the Agreement. Nims Decl. ¶ 40; S.A. Exh. 2 ¶12. UDB access has

been strictly limited, and intrusion detection has been added. Nims Decl. ¶¶ 27-30, 33-36.

Defendants have obtained enhanced intrusion and anomaly detection tools—industry

standard tools that were lacking during the period of the Breaches. Defendants have also

implemented System Incident and Event Management (SIEM) along with other scanning and

network visibility tools. Nims Decl. ¶¶ 37-39. Alongside increased, and comprehensive,

employee training; the maintenance of event logs for three years (two years longer than industry

standard); as well as proactive penetration testing by the Red Team; and an external CISO board

of advisors, (S.A. Exh. 2 ¶¶ 4-5, 8, 16, 17; Nims Decl ¶¶ 7-12, 19-25, 52), the Business Practice

Changes “adequately address the deficiencies [Plaintiffs’ expert Mary Frantz] found within

Legacy Yahoo’s information security environment.” Frantz Decl. ¶ 35.

These measures directly relate to the inadequacies Plaintiffs identified during discovery.

For example, the class certification motion explained that Yahoo’s information security team

was significantly understaffed and underfunded, Yahoo lacked intrusion detection systems and

had inadequate logging, access to the UDB was liberally granted and backup copies of the UDB

were regularly created without encryption or auditing. Cert. Memo at 11-17.

C. Settlement Fund

The Settlement also requires Yahoo to pay $117.5 million into a Settlement Fund. S.A.

§ 3.1. All remuneration—other than amounts related to the Business Practice Changes—will be

drawn from this Fund, comprised of amounts: (a) to reimburse Settlement Class Members who

have out-of-pocket losses; (b) to compensate Paid and Small Business Users up to 25% of the

amounts they paid for Yahoo’s email services; (c) to pay Alternative Compensation to those

already having credit monitoring; (d) for the costs of class notice and settlement administration;

(e) to provide at least two years of Credit Monitoring Services; (f) for all attorneys’ fees, costs,

and expenses; and (g) for Service Awards to Settlement Class Representatives. S.A. §§ 3.2, 4.8,

5.3, 6.4, 6.5, 6.7, 10.3, 11.2, 12.2. Plaintiffs believe the $117.5 million fund will be more than

ample to accommodate the claims made against it, Yanchunis Dec., ¶ 27, but, in the event it is



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

not, all cash-claims drawn from it—i.e., Out-of-Pocket, Paid, and Small Business Users Costs,

and Alternative Compensation—will be reduced pro rata. S.A. § 6.9.

1. Out-of-Pocket Costs

Out-of-Pocket Costs include “costs or expenditures that a Settlement Class Member

actually incurred that are fairly traceable to one or more of the Data Breaches,” and

may include, without limitation: unreimbursed fraud losses or charges;

professional fees incurred in connection with identity theft or falsified tax returns;

fees or expenses incurred for, or as a result of, credit freezes; credit monitoring

that was ordered after January 1, 2012 through the date on which the Credit

Services become available through this Settlement Agreement; [and]

miscellaneous expenses such as notary, fax, postage, copying, mileage, and long-

distance telephone charges . . . .

S.A. § 1.29. For Small Business Users, Out-of-Pocket Costs may also include “wages or fees

paid for the performance of tasks fairly traceable to mitigating the impact of one or more of the

Data Breaches.” S.A. § 1.29.

Time spent remedying issues related to one or more of the Data Breaches is likewise

compensable at the rate of “$25.00 per hour or unpaid time off work at the actual hourly rate of

that Settlement Class Member, whichever is greater,” and can include up to fifteen hours of time

for Settlement Class Members with documented Out-of-Pocket Costs, and up to five hours at that

same rate for Settlement Class Members with undocumented costs. S.A. § 1.29.

Claims can be submitted via a single claim form, accompanied by an attestation regarding

the expenditures incurred and basic documentation (i.e. letter from IRS if claiming IRS tax fraud

expenses). S.A. §§ 6.1, 6.4; S.A. Ex. 6. Proof of causation is limited to establishing the costs are

“fairly traceable” to the Data Breaches, meaning “ (i) the Misconduct occurred in January 2012

or thereafter; (ii) the Settlement Class Member states that he, she, or it believes the Misconduct is

connected to one or more of the Data Breaches; and (iii) the Misconduct involved possible mis-

use of the type of Personal Information accessed in one or more of the Data Breaches . . . .” S.A.

§ 6.3. Preventative measures, “such as obtaining credit monitoring services or credit freezes,

shall be deemed fairly traceable to one or more of the Data Breaches if they were incurred in



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

January 2012 or thereafter and the Settlement Class Member states that they believe the costs

were incurred as a result of one or more of the Data Breaches.” S.A. § 6.3.

Out-of-Pocket Costs Claims can be submitted for 365 days after the Preliminary

Approval Order. S.A. § 6.1. The Settlement Administrator will review claims as they are

submitted, and if a claim is deemed deficient, will notify the Class Member within fifteen days of

that determination. The Class Member then has 30 days to rectify the deficiency. S.A. § 6.2.

2. Paid User and Small Business User Costs

Paid Users are Settlement Class Members that paid for ad-free or premium email services

during the Class Period. S.A. § 1.31. Small Business Users are Settlement Class Members that

paid for Small Business services during the Class Period. S.A. § 1.48. Paid and Small Business

Users can receive up to 25% of the total amounts paid per year by those users between January 1,

2012 and December 31, 2016. S.A. §§ 6.5, 6.7. Small Business Users are subject to a cap of $500

per year. S.A. § 6.7.13

Paid and Small Business Users need only submit a Claim Form identifying

the paid account(s) utilized, and the number of years during the Class Period it was used. S.A.

§§ 6.6, 6.8, Ex’s 8-9. Paid and Small Business Users remain eligible to submit claims for Out-of-

Pocket Costs and for Credit Services or Alternative Compensation. S.A. §§ 6.5, 6.7.

3. Alternative Compensation

Settlement Class Members that already have credit monitoring protections are eligible for

Alternative Compensation in the amount of $100. S.A. §§ 5.1-5.3. Depending on participation,

the amount could rise to as much as $358.80: the full, two-year retail value of the Credit

Monitoring Services being offered. Exh. C., AllClear Declaration. To obtain, Settlement Class

Members need only confirm the timing and type of credit monitoring services they already have,

that they wish to receive Alternative Compensation instead of the Credit Monitoring Services,

and that they will keep their current services active for at least one year. S.A. §§ 5.1, 5.2, Ex. 7.

D. Credit Services

13

This cap exceeds the amount any Small Business User paid for email services and impacts, if any, only those receiving the highest level merchant solutions. Yanchunis Dec., ¶ 49.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Two years of credit monitoring and identity theft protection services from AllClear ID

will also be provided from the Settlement Fund, at a cost $24 million. S.A. § 4.1, 4.7.

Importantly, the Credit Monitoring Services are not capped at any enrollment number; hence, if

all 196 million Class Members enroll, all will be covered for $24 million—shifting the risk of

greater than historically anticipated enrollment to the vendor rather than the Settlement Fund.

AllClear is an industry leader with more than ten years of specialized experience in data breach

response. It has successfully managed some of the largest data breaches in history. The Credit

Services to be provided by AllClear ID will consist of: three-bureau credit monitoring;14

VantageScore® 3.0 Credit Score and Credit Report from TransUnion®; Fraud Alerts; ID Theft

Insurance up to a limit of $1 million; Identity Theft Monitoring to notify Settlement Class

Members when stolen identity information has been detected and reported through the Internet

Fraud Alert system (Dark Web monitoring); Identity Restoration Services; Identity theft scan of

Settlement Class Members’ minor children identities, up to the age of 18; and assistance with

canceling and replacing credit and debit cards if a wallet is lost or stolen. S.A. § 4.1. This

comprehensive credit monitoring product is especially important here, where Yahoo has not

previously made credit monitoring available. Settlement Class Members will be encouraged to

timely sign up for credit monitoring, and will be educated about the benefits of doing so. S.A.

§ 4.5. Credit Services can be claimed via a straightforward claim form. S.A. § 4.3, Ex. 7.

The Credit Services to be provided to the Settlement Class have a retail value of

$14.95/month.15

Given the Class size, this is an enormous benefit; potentially amounting to

billions of dollars of savings to Settlement Class Members were they to obtain similar, or even

inferior, credit monitoring products on their own. These services are important to protect

Settlement Class Members from further identity fraud and losses.

Because AllClear Credit Services, or any reasonable equivalent, are unavailable in Israel,

Israeli Settlement Class Members are eligible for Alternative Compensation without a showing

14

Single bureau monitoring with TransUnion is activated at the time of enrollment. Members will have to login to their online customer portal or call the support center to accept the filtering policy to activate triple bureau credit monitoring. 15

Declaration of AllClear ID at ¶ 5, filed concurrently herewith (hereinafter “AllClear Dec.”).



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

of current credit monitoring services. S.A. §§ 4.9, 5.4. The underlying U.S. resident, individual

owner(s) of Small Business Users are also eligible to claim Credit Services or Alternative

Compensation—Credit Services will apply in their individual capacity. S.A. § 4.10.

E. Class Notice and Settlement Administration

Notice to the Settlement Class and the costs of administration will also be funded by the

Settlement Fund at a cost of approximately $6 million. S.A. § 10.3; Yanchunis Dec. ¶ 23.

Heffler, a nationally recognized class action settlement administrator has been retained here,

subject to the Court’s approval. Due to the large Class size, and reflective of the nature of the

Data Breaches, individual notice will be achieved primarily via email, as email addresses are

available for most of the Class Members. S.A. Ex. 4 ¶ 11. Notice will also be posted in People

Magazine and National Geographic, as well as Israeli publications, and made via an innovative

and far reaching digital media notice plan, further explained below. Id. ¶¶ 34-50.

F. Service Awards to Named Plaintiffs

Because the Settlement resolves both the MDL and JCCP Cases, named plaintiffs in both

cases have been named as Settlement Class Representatives in the Settlement. S.A. § 1.45. These

consumers have been integral in litigating this matter. All sixteen representatives have been

personally involved in the cases and support the Settlement. Yanchunis Dec., ¶¶ 29-30; Robinson

Dec., ¶ 36. Plaintiffs will separately petition the Court to award each Representative up to $7,500

(for those whose computers were forensically imaged and who were deposed); $5,000 (for either

those whose computer was forensically imaged or were deposed); and $2,500 (for those whose

computers were neither forensically imaged nor were deposed); in recognition of the time, effort,

and expense they incurred pursuing claims that benefited the entire class. This payment will be

made from the Settlement Fund. S.A. §§ 11.1-11.2.

G. Attorneys’ Fees, Costs, and Expenses

Plaintiffs will also seek an award of attorneys’ fees and reimbursement of litigation costs

and expenses, from the Settlement Fund. S.A. § 12.2. The request for an award of attorneys’ fees

will not exceed $30 million and the request for costs and expenses will not exceed $2.5 million.

The request for fees, costs, and expenses will encompass all effort and expenditures incurred by



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

counsel in both the MDL and JCCP Cases. S.A. § 12.1. The motion will include detailed lodestar

information and accounting of expenses. Yanchunis Dec., ¶ 42.

H. Reduction or Residual

If the Settlement Fund is insufficient to cover all Out-of-Pocket Costs, Paid User Costs,

Small Business User Costs, and Alterative Compensation payments, all such cash claims will be

reduced on a pro rata basis. S.A. § 6.9. Conversely, should there be a residue, surplus funds will

first be used to increase the Alternative Compensation payments up to the $358.80 individual

cap, (S.A. § 7.1(a))—the full retail value of two years of the Credit Services. AllClear Dec., ¶ 5.

Next, residual funds will be used to purchase additional months of Credit Monitoring Services, in

monthly installments, until insufficient funds remain to purchase an additional month. S.A.

§ 7.1(b). If additional funds remain following those two steps, then the parties will motion the

Court for distribution to cy pres recipient Electronic Privacy Information Center. S.A. § 7.1(c).

I. Release

In exchange for the benefits provided under the Settlement Agreement, Settlement Class

Members will release any and all claims against Defendants related to or arising from any of the

facts alleged in the complaints filed in this litigation. S.A. §§ 1.39, 13.1-13.4.16

IV. ARGUMENT

A. The Settlement Class Should Be Preliminarily Certified

Before assessing the parties’ settlement, the Court should first confirm that the

underlying settlement class meets the requirements of Rule 23. See Amchem Prods. v. Windsor,

521 U.S. 591,620 (1997); Manual for Complex Litigation, § 21.632. The requirements are well

known: numerosity, commonality, typicality, and adequacy—each of which is met here. Fed. R.

Civ. P. 23(a); Ellis v. Costco Wholesale Corp., 657 F.3d 970, 979-80 (9th Cir. 2011).

1. The Rule 23(a) Requirements Are Met

The Settlement Class includes 896 million accounts, representing some approximately

194 million individuals and small businesses, and so readily satisfies the numerosity

16

In MDL proceedings, it is proper to release claims based on facts alleged in the underlying MDL complaints. See, e.g., In re: Volkswagen “Clean Diesel”, Case No. 3:15-md-02672-CRB, PACER Dkt. No. 3230 at 5-6 (N.D. Cal. May 17, 2017).



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

requirement. See Fed. R. Civ. P. 23(a)(1). The commonality requirement, which requires that

class members’ claims “depend upon a common contention,” of such a nature that

“determination of its truth or falsity will resolve an issue that is central to the validity of each

[claim] in one stroke,” is also met. Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 350 (2011).

Here, Plaintiffs’ claims turn on whether Yahoo’s security environment was adequate to protect

Settlement Class members’ Personal Information. Cert. Memo at 22-23. The resolution of that

inquiry revolves around evidence that does not vary from class member to class member, and so

can be fairly resolved—whether through litigation or settlement—for all class members at once.

Likewise, typicality and adequacy are satisfied. Each proposed Settlement Class

Representative alleges he or she was a Yahoo user, with Personal Information stored on the

UDB, that was exfiltrated during the Data Breaches, and thus they were impacted by the same

inadequate data security that Plaintiffs allege harmed the rest of the Class. Cert. Memo at 23–25;

Just Film, Inc. v. Buono, 847 F.3d 1108, 1118 (9th Cir. 2017) (“[I]t is sufficient for typicality if

the plaintiff endured a course of conduct directed against the class.”). The Settlement Class

Representatives also have no conflicts with the Settlement class; have participated actively in the

case, including by sitting for depositions and allowing their devices to be examined; and are

represented by experienced attorneys who were previously appointed by this Court—or the JCCP

Court—to represent class members’ interests. See Cert. Memo at 26; Staton v. Boeing Co., 327

F.3d 938, 957 (9th Cir. 2003) (adequacy satisfied if plaintiffs and their counsel lack conflicts of

interest and are willing to prosecute the action vigorously on behalf of the class); Yanchunis

Dec., ¶¶ 16, 28, 30, 38-39; Robinson Dec., ¶¶ 2-5, 34-37.

2. The Requirements of Rule 23(b) Are Met

“In addition to meeting the conditions imposed by Rule 23(a), the parties seeking class

certification must also show that the action is maintainable under Fed. R. Civ. P. 23(b)(1), (2) or

(3).” Hanlon v. Chrysler Corp., 150 F.3d 1011, 1022 (9th Cir. 1998). Here, the Settlement Class

is maintainable under Rule 23(b)(3), as common questions predominate over any questions

affecting only individual members and class resolution is superior to other available methods for

a fair and efficient resolution of the controversy. Id. Plaintiffs’ claims depend, first and foremost,



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

on whether Yahoo used reasonable data security to protect their Personal Information. Cert.

Memo at 22, 31-33. That question can be resolved using the same evidence for all Settlement

Class Members, and thus is the precise type of predominant question that makes a class-wide

adjudication worthwhile. See Tyson Foods, Inc. v. Bouaphakeo, 136 S. Ct. 1036, 1045 (2016)

(“When ‘one or more of the central issues in the action are common to the class and can be said

to predominate, the action may be considered proper under Rule 23(b)(3) …’”).

Importantly, predominance analysis in the settlement context need not consider

manageability issues because “the proposal is that there be no trial,” and hence manageability

considerations are no hurdle to certification for purposes of settlement. Amchem, 521 U.S. at

620. There is only the predominant issue of whether Yahoo failed to properly secure the Personal

Information taken from it in the Data Breaches and failed to provide timely notice, such that its

users should now be provided a remedy. Resolution of that issue through individual actions is

impracticable: the amount in dispute for individual class members is too small, the technical

issues involved are too complex, and the required expert testimony and document review are too

costly. See Just Film, 847 F.3d 1108 at 1123. Rather, the class device is the superior method of

adjudicating consumer claims arising from these Data Breaches—just as in other data breach

cases where class-wide settlements have been approved. See, e.g., In re Anthem, Inc. Data

Breach Litig., 15-MD-02617-LHK, 2018 WL 3872788, at *11 (N.D. Cal. Aug. 15, 2018); In re

Linkedin User Privacy Litig., 309 F.R.D. 573, 585 (N.D. Cal. 2015).

B. The Settlement Should be Preliminarily Approved

Recent revisions to Rule 23(e)—effective on December 1, 2018—confirm the need for a

detailed analysis of a settlement at the preliminary approval stage. The Northern District of

California’s Procedural Guidance for Class Action Settlements—first published November 1,

2018—sets forth multiple applicable criteria; and this Circuit relies on many factors for final

approval. Accordingly, Plaintiffs analyze the Settlement under amended Rule 23(e), the

District’s Procedural Guidance, and akin to the analysis required for final approval. Each

analysis weighs in favor of approval.

1) Amended Rule 23(e)



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Amended Rule 23(e)(1) provides that notice should be given to the class, and hence,

preliminary approval should only be granted, where the Court “will likely be able to” finally

approve the settlement under Amended Rule 23(e)(2) and certify the class for settlement

purposes. Fed. R. Civ. P. 23(e); see also id. 2018 Amendment Advisory Committee Notes. Final

approval is proper under the amended rule upon a finding that the settlement is “fair, reasonable,

and adequate” after considering whether:

(A) the class representatives and class counsel have adequately represented the

class;

(B) the proposal was negotiated at arm’s length;

(C) the relief provided for the class is adequate, taking into account:

(i) the costs, risks, and delay of trial and appeal;

(ii) the effectiveness of any proposed method of distributing relief to the

class, including the method of processing class-member claims;

(iii) the terms of any proposed award of attorney’s fees, including timing

of payment; and

(iv) any agreement required to be identified under Rule 23(e)(3); and

(D) the proposal treats class members equitably relative to each other.

As explained above in section IV.A, the Class here meets the criteria for certification of a

settlement class, including all aspects of numerosity, commonality, typicality, adequacy, and

predominance. Rule 23(e)(1)(B)(ii) is therefore met.

The Court will also “likely be able to” finally approve this Settlement. As an initial

matter, Settlement Class Representatives and Settlement Class Counsel have adequately

represented the Class. See supra section IV.A.1. The original settlement was negotiated at arm’s

length using a team of experienced neutrals, and the Amended Settlement was renegotiated by

Lead Settlement Counsel and Yahoo’s counsel over the course of several weeks, all of which

communications were at arm’s length. See supra section II.H; Yanchunis Dec. ¶ 3. Class Counsel

then took confirmatory depositions of Dr. Whipple and Mr. Slomczynski. Yanchunis Dec. ¶ 50.

a) Adequacy of Relief: Costs, Risks, and Delay

The relief provided by the Settlement is reasonable and adequate, particularly in light of

the risks and delay trial and associated appeals would wreak. At bottom, Plaintiffs built an



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

exceedingly strong case for liability and the real issue, the real risk in the case, was the viability

of Plaintiffs’ damages models and concomitant ability to certify a damages class using them. As

to liability, Plaintiffs’ class certification motion detailed the numerous shortcomings in Yahoo’s

information security environment, despite its contrary representations. Plaintiffs adduced

evidence showing Yahoo was well aware that its Paranoids team was understaffed, underfunded,

and lacked the industry standard tools necessary to protect the valuable information Yahoo held.

Cert. Memo at 11–20. Plaintiffs established that certain senior executives had contemporaneous

knowledge of the 2014 Breach, yet failed to provide notice to users until years later. Id. at 18–20.

Yahoo was aware of the 2012 Intrusions, as Mandiant informed it, in real time. SAC ¶¶ 76-78.

While Plaintiffs provided three potential damages models, supported by three well-

regarded experts, Cert. Memo at 35–39, Defendants raise substantial questions of causation and

damages—both as to the named plaintiffs individually and as to any ability to prove causation or

damages class-wide. ECF No. 295 at 7–8, 13–15, 17–18.

Fundamentally, the Gordian knot of this case was the extreme variability in potentially

impacted Personal Information for any particular Class Member. Generally, data breach cases

involve the pilfering of types of data that are both known and uniform across the class. For

example, in Anthem, it was alleged that personal information such as names, dates of birth,

Social Security numbers, and health care ID numbers, was stored by defendants for each class

member and taken by the attackers. In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953,

966 (N.D. Cal. 2016). In payment card cases, such as In re Home Depot or In re Target, the data

taken is almost always constant for all class members: payment card numbers, expiration dates,

card verification values, and cardholder names.

Here, such uniformity is simply not present. Certainly, some impacted data was fixed for

each impacted account: email addresses, passwords, security questions and answers (for some

accounts), as well as telephone numbers and birth dates, if provided and accurate. Spring-

boarding from that information, specifically the username and passwords, Plaintiffs alleged that

fraudsters could then gain access to Class Members’ email accounts, the contents of which could

contain the most sensitive and dangerous information from an identity theft perspective;



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

including financial communications and records containing credit cards, banking information,

other account passwords, IRS documents, and social security numbers. E.g., SAC ¶ 7. Hence, the

types of especially sensitive information at issue for any particular Class Member necessarily

varied based on the contents of their email account. And the need to access email (or other

account) content also adds an additional significant link in the causal chain.

Understanding the idiosyncratic nature of the data, and thus the damages, at issue in this

particular case, Plaintiffs’ experts endeavored to create damages models that either (1) accounted

for the variations in the impacted data—e.g., James Van Dyke’s survey of the typical contents of

email accounts and valuing of those average contents against, for example, Dark Web Pricing,

Cert. Memo., Ex. 94 ¶¶ 13, 15, 18-35, 66-77—or (2) circumvented any potential individual

inquiry by either (a) valuing the stolen data that was uniform across all accounts—e.g., Ian

Ratner’s Dark Web pricing for email log-in information—or (b) valued the entire corpus of

stolen data in the aggregate by, for example, analyzing the proxy for market value via

methodology that reviewed the revised purchase price Yahoo received in its sale to Verizon and

Verizon’s assumption of breach related liabilities.17

Although Plaintiffs believe all of these approaches are viable, each is necessarily unique

to this particular case and thus wholly untested in a litigated setting, much less before a jury.

Accordingly, Defendants argued that Plaintiffs had not presented any viable method for

determining on a class-wide basis whether: (1) a class member had even provided “PII” to

Yahoo (or sent PII through his or her Yahoo email account), much less (2) what PII there was,

(3) whether it had value, (4) whether that value has since diminished, and (5) if so, whether

Yahoo caused that loss in value. Yahoo disputed Plaintiffs’ experts’ hypothetical “average” user

methodology as at odds with the evidence from the named Plaintiffs showing significant

variability even in the limited data stored in Yahoo’s user database. Through named Plaintiff

depositions and analysis of his or her data, Defendants were able to determine that information

associated with Plaintiffs’ accounts was often missing, out of date, or simply made up (and

Yahoo did not independently verify the accuracy of what its users entered).

17

See Cert. Memo., Exh. 96 ¶ 22–23.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Thus, while liability facts in this matter have always been very strong, in Plaintiffs’ view,

the viability of any damages model, and certifiability of any damages class based on the model,

was (at least) equally, inversely uncertain.

Denial of class certification would have, for all practical purposes, ended the case with

the Class receiving nothing. Even success on that motion would have resulted in an extended

trial (not scheduled to begin until September 2019); potential motions for de-certification prior

to, or during trial; and appeals of the result, regardless of outcome; all of which would have

taken easily two years more to finalize from the time of the original settlement. All the while,

Class Members would remain wholly unprotected; Yahoo having never offered any kind of

prophylactic credit monitoring or other protections, and without judicial oversight of Yahoo’s

information security improvements. The Settlement fills both those voids: providing credit

monitoring services to all Settlement Class Members who desire it and enhancing Yahoo’s data

security practices. Even if Plaintiffs achieved a successful judgment, injunctive practice changes

would likely be years away following appeals, and credit monitoring would not have been

provided. Delay, then, only further injures the class and increases each Members’ risk of harm.

Although nearly all class actions involve a high level of risk, expense, and complexity—

undergirding the strong judicial policy favoring amicable resolutions, Linney v. Cellular Alaska

P’ship, 151 F.3d 1234, 1238 (9th Cir. 1998)—this is an especially complex class in a particularly

risky arena. Data breach cases face substantial hurdles in surviving even past the pleading stage.

See, e.g., Hammond v. The Bank of N.Y. Mellon Corp., 2010 WL 2643307, at *1 (S.D.N.Y. June

25, 2010) (collecting cases). Even cases of similar wide-spread notoriety and implicating data

arguably far more sensitive than at issue here have been found wanting. In re U.S. Office of

Pers. Mgmt. Data Sec. Breach Litig., 266 F. Supp. 3d 1, 19 (D.D.C. 2017) (“The Court is not

persuaded that the factual allegations in the complaints are sufficient to establish . . . standing.”).

This Settlement provides a fair and just mechanism for relief to the Class. It is certain

and provides long overdue monetary and non-monetary compensation. The Settlement compares

favorably in nearly every pertinent way to that approved by this Court in In re Anthem, Inc. Data

Breach Litig., 327 F.R.D. 299 (N.D. Cal. 2018), as shown below:



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Yahoo UDB Yahoo Mail Anthem

Class Size ≤ 200 million ≤ 100 million 79 million

PII compromised (excl. SSN)

Yes Yes Yes

SSN compromised No Possibly, if in email content

Yes

PHI compromised No Possibly, if in email content

Yes

Total Common Fund $117,500,000.00 $115,000,000

Common Fund Available Minus Notice/Administration

$111,500,000 $92,000,000

Credit Monitoring Costs $24,000,000 $17,000,000

Individual claim cap $25,000 $10,000

Lost Time: Rate $25/hour or actual hourly rate $15/hour or actual hourly rate

Lost Time: Hours 15 hours for documented time 5 hours for undocumented

10 hours, above which required “a detailed showing”

Alternative Compensation $100, up to $358.80 $36, up to $50

CISO Advisory Board Yes No

Security Commitment 4 years 3 years

Outside Assessment shared with Lead Plaintiff Counsel/Expert

Yes Yes

Security Spend 4x prior levels 3x prior levels

Security Headcount Commitment

3x prior levels 3x prior levels

b) Adequacy of Relief: Proposed Method Of Distributing Relief

Relief will be distributed to the Class via the use of claim forms on which Class Members

will identify any Out-of-Pocket Costs they have incurred, provide the necessary information for

obtaining Credit Monitoring Services (or opt for Alternative Compensation), or establish Paid

User or Small Business User costs. This claim form method recognizes the inherent variability of

out-of-pocket damages from identity theft, as well as the need for additional identifying



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

information in order to initiate Credit Monitoring Services. Claims forms are also necessary in

order to grapple with the issue of identifying actual class members—while impacted accounts are

readily ascertainable, drilling down to impacted individual persons, and providing those

individuals with monetary or other relief, is less straightforward. The claim forms will thus

permit the Settlement Administrator to marry account data to individual Class Members.

Class Members may submit claim forms for every type of relief for up to 365 days

following preliminary approval. The Settlement Administrator will review claim forms as they

are submitted, and if deemed deficient, will notify the Settlement Class Member within fifteen

days, and the Class Member then has 30 days to rectify. S.A. §§ 6.2, 6.6, 6.8, 5.2, 4.3.

The Settlement Administrator, Heffler, has vast experience in many complex class action

lawsuits, and the individual responsible for creating and implementing the notice plan here,

Jeanne Finegan, has been repeatedly noted as an expert in the field and lauded by courts across

the country. See S.A. Exh. 4 ¶¶ 5–12. Heffler will create a settlement website, toll-free telephone

number, and mailing address through which the Class can obtain information and file claims.

The process for notifying the Class is robust, and will more than meet the dictates of due

process. Here, because email addresses are available for the vast majority of Class Members, the

chief vector of direct, individual notice will be via email. S.A. Ex. 4 ¶ 11. Even prior to the

amendment to Rule 23(c)(2)(B) expressly permitting electronic notice, email notice in similar

circumstances has been found appropriate. See, e.g., Spann v. J.C. Penney Corp., 314 F.R.D.

312, 331 (C.D. Cal. 2016). Substitute notice will also be provided by publication People

magazine and National Geographic, and online via display adds, and through social media,

resulting in a reach rate of 80%. S.A. Ex. 4 ¶¶ 4, 33-50. Copies of all notice documents are

attached to this motion; they are clear and concise, and directly apprise Settlement Class

Members of all the information they need to know to make a claim. Fed. R. Civ. P. 23(c)(2)(B).

Moreover, on the dedicated Settlement website, Class Members will be able to review the

detailed Long Form Notice, which provides understandable information with respect to all the

relevant aspects of the litigation in English, Spanish, Hebrew, and Arabic. Thus, the Notice

provides all information necessary for Settlement Class Members to make informed decisions



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

regarding whether to remain in or opt-out, or object to the Settlement. Yanchunis Dec., ¶¶ 47.

The Notice Plan has been developed by a provider with significant experience in designing

notice plans in large and national class actions similar to this one. Yanchunis Dec., ¶ 47-48.

c) Adequacy of Relief: Attorneys’ Fees

Plaintiffs will seek an award of attorneys’ fees and reimbursement of litigation costs and

expenses, from the Settlement Fund. S.A. § 12.2. The request for an award of attorneys’ fees will

not exceed $30 million—25.5% of the Settlement Fund—and the request for costs and expenses

will not exceed $2.5 million. S.A. § 12.1.18

The request for fees, costs, and expenses will

encompass all effort and expenditures incurred by MDL and JCCP Counsel. S.A. § 12.1. Fees,

costs, and expenses will be paid from the Settlement Fund twenty days after the Effective Date,

or twenty days after entry of the order setting attorneys’ fees and expenses, and before the

Effective Date, upon execution of an agreement pursuant to which Class Counsel and JCCP

Counsel agree to be jointly and severally obligated to repay the attorneys’ fees and expenses to

the Settlement Fund if the Effective Date does not occur. S.A. § 12.2.

d) Rule 23(e)(3) Agreements and Equality of Treatment

No Rule 23(e)(3) agreements are in place in this matter.

The Settlement treats class members equitably relative to each other. All Class Members

are eligible for reimbursement of Out-of-Pocket Costs and Credit Monitoring Services (or

Alternative Compensation). Class Members who paid for Yahoo services—Paid Users and

Small Business Users—will receive reimbursement of a portion of their payments to account for

their lost benefit of the bargain. Because Credit Services are unavailable in Israel, Israeli Class

Members may opt for Alternative Compensation without showing they have credit monitoring.

2) District’s Procedural Guidance

The Northern District of California’s Procedural Guidance for Class Action

Settlements—first published November 1, 2018—sets forth multiple applicable criteria,

18

Six Mexican Workers v. Ariz. Citrus Growers, 904 F.2d 1301, 1311 (9th Cir. 1990) (“[W]e established 25 percent of the fund as the ‘benchmark’ award that should be given in common fund cases.”).



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

addressed below. N.D. Cal., Procedural Guidance for Class Action Settlements (Dec. 5, 2018)

(hereinafter “District Guidance”).

a) District Guidance Factor 1: Settlement Information

i) Factors 1(a) & 1(c): Classes and Claims Alleged v. Settled

In accord with the Court’s prior direction in the order denying preliminary approval,

Plaintiffs concurrently filed a Second Amended Complaint, which harmonizes both the

Settlement Class and the claims to be released with the operative complaint.

ii) Factor 1(e): Anticipated Recovery v. Settlement Amount

Plaintiffs potential recovery, had they fully prevailed, occupies a broad spectrum.

Plaintiffs retained several experts to opine, among other things, on damages incurred by Class

Members. Plaintiffs’ expert James Van Dyke—leveraging consumer survey results—determined

the types of Personal Information in consumers’ accounts and proposed a method for valuing that

information class-wide. Cert. Memo., Ex. 94 ¶¶ 13, 15, 18-35, 66-77. Mr. Van Dyke would

have sought to testify at trial that the average Yahoo breach victim encountered a lost value of

personal data totaling $23.95. In reaching that opinion, Mr. Van Dyke determined an

approximate Dark Web price for selected types of exposed personal data. He then arrived at

values for each data element reflected in the consumer survey as being present in consumers’

accounts, resulting in the total, average loss.

Plaintiffs’ expert Ian Ratner also provided valuation metrics in his report, noting that an

individual’s entire portfolio of PII has been valued as high as $1,200 per person, that some

studies show that users value their passwords alone at as much as $75.90, that following the

breach announcements Verizon obtained a $350 million reduction in purchase price, that Dark

Web transactions involving similar personal information range from $0.10 to $30.00 per user

account, that Dark Web transactions involving email login information for Yahoo and Gmail

email accounts are valued at around $1 per account, that Dark Web transactions involving social

media login information range from a low of $0.10 for Twitter accounts to a high of $5.20 for

Facebook accounts, and that in comparable data breach settlements the value per class member

ranges widely from $1 to $50, with the Anthem and V-tech settlements relating to PII that is the



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

most comparable to the Yahoo Data Breaches indicating a range of $1.02 to $1.46. (Class Cert.

Mtn, Ex. 96 ¶¶ 14, 20, 22, 24-27, 31-32).

The above analysis would be significantly challenged by Defendants, however, as

explained above in section IV.B.1.a.

In light of the positions summarized above, during the negotiations in this case, and as a

guide for those negotiations between the parties, Plaintiffs’ counsel considered the approximately

$1.00 per user valuation as a benchmark and one that could be reasonably pursued at trial under

the class model. This valuation comports with Class Counsels’ cumulative experience in the data

breach and privacy cases they have handled throughout the country. As a result of that

experience, Class Counsel was also well positioned to determine whether an individual Class

Member has been damaged, and to assess the types and ranges of damages sustained by

consumers as a result of the abuse of their Personal Information. Class Counsels’ data breach

experience, and their experience with claims in settled data breach cases, likewise provided them

with the ability to forecast how many consumers of a particular cohort would be adversely

affected and submit claims—from less than 1% to 3%—and thus how to negotiate and arrive at

the amount of the Settlement Fund needed here.

Discovery in this case indicated that there were approximately 50-6019

million active

accounts on a month over month basis during the pendency of this litigation—meaning accounts

that had sent (not just received) at least an email. The original $50 million Settlement Fund

alone, then, provided a cash recovery of approximately $1.00 per active user with a 100% claims

rate. As explained by Mr. Slomczynski, in 2012, 2013, and 2016 there were, respectively, 112.8

million, 113.5 million, and 77.4 million registered user accounts that accessed a Yahoo property,

on average during the 4th

quarters, from a U.S. IP address. Based on those numbers as well

(which reflect registered user accounts, not individuals), the Settlement Fund provides

approximately $1.00 per active registered user account.

Likewise, assuming a Class of 194 million individuals, at the most, the $117.5 million

19

See 2016 Adestra Consumer Adoption & Usage Study, https://www.adestra.com/resources/2016-consumer-adoption-usage-study/.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Settlement Fund provides a cash recovery of nearly 60% of the anticipated potential full recovery

under one of the damage models that could have been pursued at trial ($1 per user log-in

information)—even if ignoring the very significant benefits provided by the Business Practice

Changes—a figure well within the range of reasonableness given the risks associated with this

type of case, and the difficulty Plaintiffs faced in certifying a damages class.20

iii) Factor 1(g): Expected Claims Rates

Plaintiffs expect Out-of-Pocket Costs claims-rates in this case to follow that seen in most

other large, consumer data breach cases: from below one percent to three percent. The claims

rates in Target, Home Depot, and Anthem fell within this range. See, e.g., In re Anthem, Inc.

Data Breach Litig., 15-MD-02617-LHK, 2018 WL 3872788, at *13 (N.D. Cal. Aug. 15, 2018)

(noting a 1.8% claims rate for the Anthem class, and “claims rates of approximately 0.2% and

0.23% in the In re Home Depot and In re Target data-breach actions”); In re the Home Depot,

Inc., Customer Data Sec. Breach Litig., No. 1:14-MD-02583-TWT, ECF No. 245-1 (N.D. Ga.)

(noting submission of 127,527 claims for a class of approximately 40,000,000 individuals, a rate

of .31%). Those cases were chosen as comparators because they were each large, well-

publicized consumer data breach cases, with tens of millions of class members, as here.

The credit monitoring claims rate in Anthem was 1.6%. Anthem, 15-MD-02617-LHK,

ECF No. 1007 at 7. The credit monitoring claims rate in Home Depot was less than 1%.

Anthem is the only comparator case offering an Alternative Compensation option in place

of credit monitoring. The claims-rate for that relief in Anthem was approximately 0.2%.

20

See, e.g., Destefano v. Zynga, Inc., 12-CV-04007-JSC, 2016 WL 537946, at *11 (N.D. Cal. Feb. 11, 2016) (approving settlement where, following deductions for attorneys’ fees and costs and administration costs, the payout to the Settlement Class was approximately 9.5 percent of the likely recoverable damages); In re Celera Corp. Sec. Litig., 5:10-CV-02604-EJD, 2015 WL 7351449, at *6 (N.D. Cal. Nov. 20, 2015) (granting final approval on a settlement fund of $24,750,000, which represented 17 percent of the plaintiff’s total estimated damages with a per-share recovery of $1.02); In re Omnivision Techs., Inc., 559 F. Supp. 2d 1036, 1042 (N.D. Cal. 2008) (granting final approval of a settlement fund of $13.75 million where the gross class recovery was 9 percent of maximum potential recovery, which totaled 6 percent after deductions for attorneys’ fees and costs); see also Nat'l Rural Telecommunications Coop. v. DIRECTV, Inc., 221 F.R.D. 523, 527 (C.D. Cal. 2004) (“[I]t is well-settled law that a proposed settlement may be acceptable even though it amounts to only a fraction of the potential recovery that might be available to the class members at trial.”).



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Anthem, 15-MD-02617-LHK, ECF No. 1007 at 7. Experience with paying-user type claims is

significantly more limited. However, In re Linkedin User Privacy Litig., 309 F.R.D. 573, 589

(N.D. Cal. 2015), dealt with a similar paying-user, data breach class, and resulted in 47,336

claims out of a class of approximately 798,000; a rate of 5.9%.

Although the parties along with Heffler will use their best efforts to maximize the claims

rate in this case, experience counsels to expect a similar range of claims-rates here. Specifically,

the parties anticipate an approximately one to three percent claims rate for Out-of-Pocket Costs,

one to two percent claims rate for Credit Monitoring Services; .1 to .3 percent rate for

Alternative Compensation; and four to eight percent rate for Paid and Small Business Users.21

b) Factor 2: Administrator Selection

Yahoo, which initially was paying for all Administrative Expenses separately from the

Settlement Fund (ECF No. 330-3, § 10.3), was principally responsible for selection of Heffler as

the Settlement Administrator in this case. Plaintiffs’ Lead Settlement Counsel suggested three

additional potential administrators, from whom Yahoo solicited and obtained bids: Epiq

Systems, KCC, and Angeion. The bids submitted by all vendors were sufficiently similar once

normalized for services included. It is estimated that the Settlement Administration costs will be

approximately 6 million. Heffler’s proposed notice plan for social media and publication was

the most robust and, therefore, favored; resulting in a projected 80% reach-rate, much higher

than the typically accepted 70% reach-rate threshold.

Plaintiffs’ Lead Settlement Counsel only engagement with Heffler over the last two years

was as one of a number of lawyers in the case of In re TracFone Unlimited Serv. Plan Litig., 13-

CV-03440-EMC, 2015 WL 13035125 (N.D. Cal. Feb. 20, 2015), which settled a nationwide

class. The FTC, which also settled a case arising from the conduct that was the subject of the

class action, retained the notice and claims administrator. The defendant in those cases retained

Jeanne Finnegan—now President of Heffler’s HF Media division—as a notice expert to assist in

21

As to Factor 1(h), the Settlement Fund is wholly non-reversionary. Under no circumstances will any monies revert to Defendants



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

the design of the notice program. Her time was compensated by the defendant in Tracfone.22

Given the Parties’ comfort with the Notice Plan and Jeanne Finnegan, Heffler was selected.

c) Factors 3-5: Notice Plan, Opt-Outs, and Objections

The Notice Plan is thorough, far-reaching, and effective. S.A. Ex. 4. Notice will be

provided in English, Spanish, Hebrew and Arabic to account for the makeup of the Class. The

Notices clearly advise Class Members of their ability to opt-out and provides 120 days from the

Notice Date for opt-out selections to be submitted. S.A. Ex. __[[##]]. In accord with the

District’s Guidance, the procedure for opting out requires only that Class Members provide the

Settlement Administrator with their name, mailing address, and email address or telephone

number; an explanation of why they believe they are a Settlement Class Member; the words

“Notification of Exclusion” or a statement that you want to be excluded from the Settlement; and

their signature. S.A. Exh. __, § 30. Likewise, the procedure for Objecting is set forth clearly in

the Notices. Id. § 25. Objections must be submitted in writing to the to the Court no later than

120 calendar days after the Notice Date, and must include the objector’s name, address, personal

signature, a statement of grounds for the objection, a statement indicating the basis for the

objector’s belief that they are a Settlement Class Member, a statement identifying the number of

class action settlements objected to in the last three years, a statement whether the objector

intends to appear at the Final Fairness Hearing, either in person or through counsel, and if

through counsel, identifying counsel by name, address, and telephone number. S.A. § 9.7.

d) Factor 6: Attorneys’ Fees, Costs, and Expenses

Settlement Class Counsel will seek no more than $30 million from the Settlement Fund,

approximately 25.5%. Attached hereto as Exhibit H is applicable lodestar information. Class

Counsel will file a full Motion for Fees imminently, and no later than 30 days from this filing.

e) Factors 7-10: Service Awards, Cy Pres, Timeline, and CAFA

Plaintiffs are seeking Service Awards for all Settlement Class Representatives with the

22

Although not Lead Counsel, Class Counsel Stuart Davidson, also has a positive experience with Heffler when it served as settlement administrator in the MDL No. No. 1850, In re Pet Food Products Liability Litigation, No. 07–2867 (NLH) (D.N.J.), a nationwide class settlement where Mr. Davidson served as Co-Lead Class Counsel.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

amounts set by their objectively determined involvement in the case via undertakings such as

forensic imaging of their devices or deposition. S.A. § 11.1; supra § III.F.

Residual Settlement Fund amounts with first be used to increase the Alternative

Compensation payments up to the retail value of the Credit Monitoring Services, then any

remaining amounts will be used to purchase additional Credit Monitoring Services, in one-month

increments, until such time as insufficient funds exist to purchase another full month. S.A. § 7.1.

Any remaining amounts thereafter will be distributed to cy pres recipients. In accord with the

District Guidance, the Parties identify the Electronic Privacy Information Center (“EPIC”) as the

designee. EPIC’s mission is to focus attention on emerging privacy and civil liberties issues and

to protect privacy, freedom and expression, and democratic values in the information age. Given

EPIC’s focus on digital privacy issues, and this case’s similar digital privacy emphasis, EPIC is a

natural recipient of any residual funds. Class Counsel have no prior relationship with EPIC.23

Class Members will have far more than the District’s Guidance recommended thirty-five

days to object or opt-out of the Settlement. Plaintiffs are imminently filing their motion for

attorneys’ fees. Class Members will then have 120 days after the Notice Date (which is triggered

no more than 45 days after Preliminary Approval is granted) to object or opt-out.

CAFA Notice is required and will be given, as it was previously during the pendency of

the First Motion for Preliminary Approval, see ECF No. 336. Compliance with the coupon

settlement provisions of CAFA, or other settlement related dictates, are inapplicable here.

f) Factor 11: Past Distributions

Lead Settlement Class Counsel has been involved in multiple similar data breach

settlements. The most similar of which are In re Home Depot and In re Target. The information

sought in the District Guidance for those cases is in the chart attached as Exhibit I.

3) Ninth Circuit Final Approval Factors

The amended rule and the District Guidance reflect many of the factors already used in

this Circuit for final approval: (1) the strength of the plaintiff’s case; (2) the risk, expense,

23

EPIC has, however, filed independent amicus briefs in certain cases Class Counsel have been involved in, including in a pending appeal in In re Facebook, Inc. Biometric Information Privacy Litig., No. 18-15982, ECF No. 46 (9th Cir. Dec. 17, 2018), which Mr. Davidson is involved in.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

complexity, and likely duration of further litigation; (3) the risk of maintaining class action status

throughout the trial; (4) the amount offered in settlement; (5) the extent of discovery completed

and the stage of the proceedings; (6) the experience and views of counsel; (7) the presence of a

governmental participant; (8) the reaction of the class members to the proposed settlement; and

(9) whether the settlement is a product of collusion among the parties. In re Bluetooth Headset

Products Liab. Litig., 654 F.3d 935, 946 (9th Cir. 2011).

a) The Strength of Plaintiffs’ Case and Risk of Further Litigation

The strengths of Plaintiffs’ case and risks of further litigation are explained above in

section IV.B.1.a. Those arguments are not repeated here. Plaintiffs would add, however, that by

settling now, practical remedies that have been sorely absent become imminently available.

While the Breaches occurred some time ago, credit monitoring services have never been offered;

while Yahoo had contemporaneous knowledge of the 2014 Breach, data security remained

inadequate. The Settlement fills both those voids.

b) The Risk of Maintaining Class Action Status Through Trial

While Plaintiffs have moved for class certification, none of Plaintiffs’ claims had yet

been certified. Certification of consumer data breach cases is rare—first (and, thus far, only)

occurring in Smith v. Triad of Alabama, LLC, 2017 WL 1044692, at *6 (M.D. Ala. Mar. 17,

2017)—and unprecedented in a case of this size.24

The dearth of direct precedent adds to the

risks posed by continued litigation.

c) The Amount Offered in Settlement

The $117.5 million Settlement Fund is a fair and reasonable outcome. This Fund far

outpaces funds in similar cases, as does the $25,000 individual claim cap.25

The quality of the

credit monitoring product is directly on par with that offered in similar data breach settlements,

24

Class certification was recently denied in a data breach case in So. Indep. Bank v. Fred’s Inc., No. 2:15-cv-00799 (M.D. Ala. Mar. 13, 2019), although unlike here, one state’s laws did not apply to the plaintiffs’ claims. 25

See, e.g., Anthem, 2018 WL 3872788, at *6, *18 (noting a $15 million fund for out-of-pocket costs, a $13 million allocation for alternative compensation, and a $10,000 individual cap); Home Depot, 2016 WL 6902351, at *6 ($13 million fund with $10,000 individual cap); Target, 2017 WL 2178306, at *2 ($10 million settlement fund with $10,000 individual cap).



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

many of which had information that is designated more sensitive under the law, and the business

practice changes safeguard Settlement Class Members’ information by addressing the

deficiencies identified during discovery in Yahoo’s information security apparatus.

d) The Extent of Discovery Completed and the Stage of Proceedings

This agreement was not reached until over two years after the first of the Data Breaches

was announced. In the interim, significant steps were taken. Two motions to dismiss were

briefed and ruled upon in the MDL Case; one demurrer was briefed and ruled upon in the JCCP

Case; Plaintiffs reviewed over 9 million pages of documents; they took seven depositions,

including all three of Yahoo’s relevant CISOs, the head of the Incident Response Team at the

time of the 2014 Breach, and the CIO; all named plaintiffs from the MDL Case were deposed;

Plaintiffs produced four expert reports, and all four experts were deposed; Plaintiffs filed their

motion for class certification and Defendants responded thereto and filed multiple Daubert

motions, and the JCCP Plaintiffs filed their motion for class certification as well. Yanchunis

Dec., ¶¶ 11-17; Robinson Dec., ¶¶ 21-30, 32. This entailed significant document review and

other discovery processes, as discussed in the Declaration of Ariana Tadler, Exhibit J, including

the creation of coding manuals, reviewer training, multi-level reviews, and deposition teams.

Accordingly, Plaintiffs are well informed and had their experts’ opinions in formulating

appropriate Business Practice Changes.

e) The Experience and View of Counsel

MDL Class Counsel were appointed over two years ago. ECF No. 58. This group has

substantial experience litigating complex class cases of various natures, and extensive exposure

to the highest profile data breach cases in the country. Yanchunis Dec., ¶ 39. Mr. Robinson was

appointed by the JCCP Court and has similar credentials. Robinson Dec., ¶¶ 2-5. Having worked

on behalf of the putative class since the Breaches were first announced, and having dedicated

thousands of hours to the case, proposed Settlement Class Counsel endorse the Settlement

without reservation. Yanchunis Dec., ¶¶ 43; Robinson Dec., ¶¶ 5-9, 34-35.

f) The Presence of a Government Participant

Plaintiffs pursued their claims independently. Should preliminary approval be granted,



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

the United States Attorney General and Attorneys General of each of the States will be notified

pursuant to CAFA, 28 U.S.C. § 1715, and given an opportunity to raise any objections.

g) The Reaction of the Class Members to the Proposed Settlement

This factor is not yet implicated, however, Settlement Class Representatives all strongly

support the Settlement. Yanchunis Dec., ¶ 30.

h) Lack of Collusion Among the Parties

The Parties negotiated a substantial Settlement Fund. The Parties did not commence

discussion of fees until agreement on all substantive portions of the class resolution had been

reached, and both the class portion of the resolution and the fees were negotiated at arms-length

under the direction of the Honorable Daniel Weinstein (Ret.), Jed Melnick, and Simone Lelchuk

of JAMS. See G. F. v. Contra Costa Cty., 2015 WL 4606078, at *13 (N.D. Cal. July 30, 2015)

(“[T]he assistance of an experienced mediator in the settlement process confirms that the

settlement is non-collusive.” (internal quotation marks omitted)). The Amended Settlement was

likewise re-negotiated at arm-length between Lead Settlement Counsel and Yahoo’s counsel and

in consultation with Jed Melnick, and subject to confirmatory depositions.

i) The Proposed Notice Plan Should Be Approved

Rule 23 requires that prior to final approval, the “court must direct notice in a reasonable

manner to all class members who would be bound by the proposal.” Fed. R. Civ. P. 23(e)(1). For

classes certified under Rule 23(b)(3), “the court must direct to class members the best notice that

is practicable under the circumstances, including individual notice to all members who can be

identified through reasonable effort.” Fed. R. Civ. P. 23(c)(2)(B). Under amended Rule

23(c)(2)(B), “[t]he notice may be by one or more of the following: United States mail, electronic

means, or other appropriate means.” Fed. R. Civ. P. 23(c)(2)(B) (effective Dec. 1, 2018).

The Notice Plan is explained above in Sections IV.B.1.b and IV.B.2.c. See also S.A. Ex.

4. Copies of all the notice documents are attached to this motion. In connection with

implementation of the Notice Plan and administration of the settlement benefits, the Parties

request the Court to appoint Heffler to serve as the Settlement Administrator.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

C. Appointment of Settlement Class Counsel

Under Rule 23, “a court that certifies a class must appoint class counsel . . . [who] must

fairly and adequately represent the interests of the class.” Fed. R. Civ. P. 23(g)(1)(B). In making

this determination, courts generally consider the following: (1) the proposed class counsel's work

in identifying or investigating potential claims, (2) the proposed class counsel’s experience in

handling class actions or other complex litigation, and the types of claims asserted in the case,

(3) the proposed class counsel's knowledge of the applicable law, and (4) the proposed class

counsel’s resources committed to representing the class. Fed. R. Civ. P. 23(g)(1)(A)(i-iv).

Here, proposed Settlement Class Counsel have extensive experience prosecuting class

action cases, and specifically data breach cases, and were previously appointment by this Court,

or by the JCCP Court. See Yanchunis Dec., ¶ 38-39; Robinson Dec., ¶¶ 2-5 & Ex 1. Mr.

Robinson was appointed as co-lead counsel in the JCCP Case and his inclusion here as Class

Counsel acknowledges the coordination of the MDL and JCCP Cases throughout discovery, and

the joint resolution of the matters here through the settlement of the claims in both consolidated

actions in this case. Accordingly, the Court should appoint John Yanchunis, Gayle Blatt, Stuart

Davidson, Karen Hanson Riebel, Ariana Tadler, and Daniel S. Robinson as Class Counsel.

D. Schedule for Final Approval

Should the Court has grant this motion, the timeline for providing notice, opting out of

the Settlement Class, and submitting claims will begin to run. Plaintiffs provide an agreed-upon

schedule in their Motion to Notice Class.

V. CONCLUSION

In light of the significant benefits to provided by the Settlement to the

Class, Plaintiffs request that the Court grant Plaintiffs’ Motion to Notice Class.

DATED: April 8, 2019 Respectfully submitted,

MORGAN & MORGAN COMPLEX LITIGATION GROUP John A. Yanchunis

s/ John A. Yanchunis



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

201 N. Franklin Street, 7th Floor

Tampa, FL 33602

Telephone: 813/223-5505

813/223-5402 (fax)

ROBBINS GELLER RUDMAN

& DOWD LLP

Stuart A. Davidson (Admitted Pro Hac Vice)

120 East Palmetto Park Road, Suite 500

Boca Raton, FL 33432

Telephone: 561/750-3000

561/750-3364 (fax)

[email protected]

CASEY GERRY SCHENK FRANCAVILLA

BLATT & PENFIELD LLP

Gayle M. Blatt

110 Laurel Street

San Diego, CA 92101

Telephone: 619/238-1811

619/544-9232 (fax)

MILBERG TADLER PHILLIPS

GROSSMAN LLP

Ariana J. Tadler

One Pennsylvania Plaza, 19th Floor

New York, NY 10119

Telephone: 212/594-5300

212/868-1229 (fax)

LOCKRIDGE GRINDAL NAUEN P.L.L.P.

Karen Hanson Riebel

100 Washington Ave. South, Suite 2200

Minneapolis, MN 55401

Telephone: 612/339-6900

612/339-0981 (fax)

ROBINSON CALCAGNIE, INC.

Daniel S. Robinson (244245)

19 Corporate Plaza Dr.

Newport Beach, CA 92660

Telephone: 949/720-1288

949/720-1292

[email protected]

Attorneys for Plaintiffs and Proposed Class

Counsel



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

CERTIFICATE OF SERVICE

I hereby certify that on April 8, 2019, I authorized the electronic filing of the foregoing

with the Clerk of the Court using the CM/ECF system which will send notification of such filing

to the e-mail addresses denoted on the attached Electronic Mail Notice List.

I certify under penalty of perjury under the laws of the United States of America that the

foregoing is true and correct. Executed April 8, 2019.

/s/ John A. Yanchunis___

John A. Yanchunis

MORGAN & MORGAN COMPLEX

LITIGATION GROUP

201 N. Franklin Street,

7th Floor Tampa, FL 33602

Telephone: 813/223-5505

813/223-5402 (fax)


1 MORGAN & MORGAN MILBERG TADLER PHILLIPS ......2019/04/09 · 1 MORGAN & MORGAN 2 3 4 5 6 7 8 9 10...

Documents

Transcript of 1 MORGAN & MORGAN MILBERG TADLER PHILLIPS ......2019/04/09 · 1 MORGAN & MORGAN 2 3 4 5 6 7 8 9 10...